The latest investigation of the FriedEx ransomware, which was initially dubbed BitPaymer after its discovery in July 2017, has showed that the data encryption malware was created by the authors of the notorious Dridex banking trojan. Dridex has been known to individual users, financial institutions, and companies since its discovery 2014, when it was a relatively simple spin-off of some older projects.
The Dridex banking trojan has become a nightmare to many affected users because of its gradual development involving minor fixes and updates that are released on a weekly basis. The infection would monitor the user’s visits to bank sites and steal confidential banking information, leaving millions of users affected.
The discovery of the connection between FriedEx and Dridex suggests that the cyber gang behind these two dreadful infections is systematically working on updating their existing malware and creating new threats based on the latest trends. It is evident that the crooks are no longer limit themselves to their banking trojan but are seeking to have an effect on a larger number of unprotected computers.
Once on the PC, the FriedEx ransomware encrypts all hard drive partitions and adds the extension .locked to every encrypted file. Encryption is carried out using a RC4 key, which is also encrypted with a hardcoded 1024-bit RSA key. The threat also creates two randomly named folders in the %LOCALAPPDATA% directory and deletes them after encryption is complete.
A typical ransomware infection requires a ransom which is presented either in a program window or in a .txt, or .html, file. In the case with the FriedEx ransomware, only a notepad file containing instructions for the victim is created.
The ransom warning starts with the sentence “Your network has been penetrated,” and the victim is informed that files have been encrypted using a strong algorithm. The attackers advise the user against resetting or shutting down the computer to prevent permanent data loss. The truth is that the FriedEx ransomware deletes itself, so only its installer or some other files of minor importance remain on the PC.
The ransom note generated by FriedEx does not tell the victim the exact amount expected to be paid. Instead of providing a fixed sum, the attackers ask the victim to contact them at firstname.lastname@example.org. It is very likely that the sum differs depending on when the victim reaches out to the schemers. In case no reply is received within 24 hours, the victim is instructed to use the TOR browser for an alternative contact email and ransom page.
The FriedEx ransowmare appears to be targeting not only individual users but also companies. To infect computers, FriedEx accesses targets via a RDP brute force attack, which has been frequently used by various ransomware infections. In order to inhibit malware infiltration, it is advisable to use strong RDP passwords so that cyber crooks do not manage to sneak in.
Overall, RDP is not the only method for accessing unprotected or poorly protected systems. Ransomware is also distributed via email and software sharing websites. For example, an email may contain a phishing link initiating the downloading of malware. Freeware sharing websites may also be crammed with malware opening a backdoor for more nefarious threats. Hence, instead of downloading software from aggregators, acquire your prefered applications from their authors, and do not ignore the advantage of the software’s ratings and reviews, which may help you make the final decision.
When your data is encrypted, you should remove the infection and start making backup copies to offline devices so that your valuable data can be accessed whenever necessary. Since the FriedEx threat kills itself after having encrypted files, all that you could do is remove recently downloaded files that might be associated with the threat.
Furthermore, it is important to shield the operating system from other ransomware infections because this is how you can be certain that you can browse the Internet safely without risking your valuable data. Malware programs vary in their complexity and purposes, but their shared goal is to access your PC and take advantage of you in any way possible. Hence, if you want to prevent FriedEx and other similar threats, do not wait any longer but implement a malware removal tool.
|#||File Name||File Size (Bytes)||File Hash|
|1||a89dd16d61c063b478abcbff28100a4f4d51e285ce9cefb0a3429fef11f20f97.exe||167936 bytes||MD5: c3a1163f5c903898793c93edf4427b5a|
|#||Process Name||Process Filename||Main module size|